How to disable 'X-Frame-Options' response header in Spring Security?

Question

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display \'http://localhost:8080/xxx/xxx/upload-image?CKE         


        

Answer 1

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN. If you are using the Java Configs (Spring Boot) and would like to allow the X-Frame-Options: SAMEORIGIN, then you would need to use the following.

---

For older Spring Security versions:

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

---

For newer versions like Spring Security 4.0.2:

http
   .headers()
      .frameOptions()
         .sameOrigin();